Section 4.1.1

[jaspenc]

The current language in Section 4.1.1 does not really address the subject of who can submit a certificate application. It is more about who cannot. In addition to this language, recommend this section address who can submit a request. Since this CP is for the FPKI Device Root, will certificate issuance be limited to Federal agencies? Authorized representatives of Federal agencies? Web Server Owners? Anyone authoritative for a .gov or .mil web resource?

[konklone]

Anyone authoritative for a .gov or .mil web resource?

I would strongly recommend the above, for a variety of reasons:

• So that the PKI does not need to litigate the internal politics and approval structures of various agencies and offices.
• To limit it further would take on risk that the PKI might violate its CP and put itself at audit risk for actions taken by other agencies that do not put any actual cryptographic integrity at risk.
• Because the PKI should support the development of issuing CAs that issue free and automated DV certificates without any sort of formal pre-established business relationships being required. The friction to obtaining and deploying certificates should be as close to zero as possible, while ensuring that only those who demonstrate practical technical control for an in-scope domain (including .gov and .mil) get a certificate.

[LarryFrank]

I am confused...

Current text says:

An application for a CA certificate shall be submitted by an authorized representative of the applicant CA.
A certificate application shall be submitted to the CA by the Subscriber, an authorized organization representative, or an RA on behalf of the Subscriber.